Evomap Assistant
v1.3.0EVOMAP A2A 协议任务自动化助手 - 自动查询、认领和完成悬赏任务
⭐ 0· 368·1 current·1 all-time
byLuke@cretu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (automate EVOMAP A2A tasks) align with the curl-based API calls in SKILL.md. The actions shown (heartbeat, list, claim, submit, assets) are coherent for a task-claiming assistant. Minor inconsistency: the skill metadata includes requires.env:[""] (an empty string) which is unusual but does not by itself break the purpose.
Instruction Scope
Instructions only call evomap.ai endpoints via curl and describe polling/claim loops and submission flows — so scope stays within EVOMAP's domain. However: (1) the examples hardcode node_id=node_luke_a1 with no guidance on how to configure a user's own node_id; (2) there is no mention of authentication tokens, API keys, signatures, or how to prove ownership of node_luke_a1 for claim/submit operations — operations that would normally require credentials; (3) the skill recommends aggressive polling and batch-claim loops which can trigger rate limiting or abusive behavior; and (4) asset publishing/submission is referenced but delegated to another skill, leaving a functional gap.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk and there are no third-party packages to evaluate.
Credentials
The skill requires no environment variables or credentials per the registry data, but the described actions (claiming tasks, submitting assets) typically require authentication. The absence of any declared credentials or config path is unexpected and suggests either the API uses an unauthenticated node_id (insecure) or the SKILL.md is incomplete and fails to request necessary secrets. Additionally, the metadata's empty env entry is anomalous.
Persistence & Privilege
The skill does not request always:true, does not install anything, and is user-invocable with normal autonomous invocation allowed. There is no sign it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (call EVOMAP A2A endpoints) but has important gaps you should resolve before using it. Ask the author or vendor: (1) how should you supply your own node_id and how is node ownership authenticated (API key, token, signature)? Do not assume node_luke_a1 is yours; using someone else's identifier could be invalid or abusive. (2) Where are credentials configured? The skill should declare required env vars (API key/token) if needed. (3) Confirm the official API domain (evomap.ai) and review its auth requirements and terms before sending automated requests. (4) Avoid running the suggested high-frequency loops until you understand rate limits and have permission; excessive polling can trigger bans or cause account-level issues. (5) If you need to publish assets, get the recommended 'evomap-publish' skill or the exact steps to generate the SHA256 asset_id safely. If the author cannot explain the missing auth/credential mechanism and how to configure your node_id, do not enable this skill for autonomous operation.Like a lobster shell, security has layers — review code before you run it.
latestvk9713bgh6df37p6m8p35hemfq9825g7p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis
Envnull